Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-09-01 17:18 UTC] zyss at mail dot zp dot ua

Unfortunately most of PHP output functions are vulnerable in the same way...
For example, built-in echo function:
$a = "<script>alert('Positive')</script>";
echo $a; // echo IS VULNERABLE!!!11oneoneeleven
Seriously, healthy programmer never allows untrusted data (user input) to be passed to stream_filter_register() as well as to other functions.
Moreover, phpinfo() should never be exposed.

[2012-09-14 05:35 UTC] david at nnucomputerwhiz dot com

I can't imagine this bug ever causing any real security problems but whenever outputting anything to the browser that could contain html entities they should
be encoded. So php_info_print should probably be modified to use htmlentities so
if it ever tried to print a '&' or '<' to the browser it will be displayed
properly.

[2012-09-14 05:59 UTC] david at nnucomputerwhiz dot com

Added patch. It's a really simple change to use php_info_print_html_esc when
appropriate. We do the same thing with other functions like
php_print_gpcse_array()